This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers, click the "Reprints" link at the top of any article.

Lessons Learned from 1,000 Data Breaches … and Counting

Companies are primarily focused on protections when instead they should be considering what to do after the systems are breached.

Do you know your enemy? Are you fighting the wrong war? Despite everything you’re read about cyber security, despite all the breaches in the news, the fact is: Well-intentioned businesspeople are still surprisingly behind the times.

Thieves and hackers are by no means the main cause of data breaches. Cyber security is just one element—because physical records, paper and files, continue to play a major role. And too few managers understand that they remain responsible for lost information, even if no one’s noticed it’s been lost or taken advantage of the breach.

What does this tell you? Cyber security is just one part of the equation. Breaches happen many ways. And it could be companies are fighting the wrong war. They’re focused exclusively on protection, on encryption and firewalls for example, when they should be considering what to do after the systems are breached.

My work, my company Beazley, isn’t mainly in the business of preventing breaches. Instead, and perhaps more relevant today, we’re the people who help companies survive them. We’ve resolved over 1,000 cases in the last five years. Let me tell a few illustrative stories—and some interesting lessons to be learned.

An angry client broke into the offices of a large, prestigious law firm and stole all their hard drives. They had a great encryption system, powerful fire walls, all the latest data security software. None of that made a whit of difference; they were breached anyway.

A multi-state health provider sent a free wellness magazine to its older members. They loved it. But one month their printing system got the mailing labels wrong—each one contained not just the member’s address but their patient ID as well—and those included their Social Security numbers.

Outside contractors remodeling an office disposed of some old file cabinets. Unfortunately, scores of old computer backup tapes were stored inside them. Did bad actors get hold of the data? Was anybody hurt? No, it was only an accident. But the company was, nevertheless, responsible. They had to search for the tapes in a landfill and notify thousands of customers.

Thieves posing as employees of a recycling company worked their way up the Eastern seaboard removing X-rays from hospital radiology labs. Their plan was to retrieve and sell the silver in the films. The problem was the X-rays were marked with patient data—names, addresses, dates of birth, and Social Security numbers. The crooks were not identity thieves. They weren’t after the data. But thanks to HIPAA rules, the hospitals had to navigate around hefty fines.

A doctor was in the habit of motorcycling to work. One day his briefcase came open. He arrived safely at his office, but hundreds of patient records were scattered three miles behind him.

One company’s security system was so complete that it guarded data against its own employees. Staff had to type in secret codes to get information using special terminals with security cameras watching everything over each one. An insider, however, was stealing employee identities. She stood behind friends while they looked up data and memorized the information.

What Are the Lessons?

The first lesson learned is that more data breaches are caused by accidents than by hackers. There are plenty of crooks out there, but your own innocent employees mislay more data. The second lesson is this isn’t only an information systems problem. Pieces of paper, devices and hard drives, X-ray films, and even mailing labels can be vulnerabilities. A third lesson is that thieves come in all manner of disguises. They’re not just digital wizards in Russia; they’re maintenance men or angry clients or a fellow worker looking over your shoulder.

Another significant lesson is that you’re responsible. Thanks to HIPAA rules, legal decisions, and state and federal regulations, if important data disappears, your company has the burden of recovering it and notifying those who might be harmed. It doesn’t matter if it was an accident, if no injury resulted, if you didn’t even know there was a breach or what went missing.

One option for dealing with these risks is data breach insurance. It really has two parts. The first part is traditional insurance, to protect your company against potential losses. You need a broad, well-crafted policy with coverage and limits to address the full variety of claims arising out of your company’s underlying exposures. (There are several ways of setting limits. We’ve found that a per-person basis up to, say, 2 million or 5 million records gives us a better way to define the risk.) The other part of data breach insurance has the characteristics of a service. In the event of a complex breach, the insurer provides—and pays for—the IT forensics experts, the specialized legal help, the PR consultants, and the notification services you need.

Data breaches are, unfortunately, a part of doing business. No matter how well you’re protected they will happen. It isn’t “if”; it’s “when.”

A final lesson to be learned: A data breach doesn’t have to be a disaster—but mishandling it is.

--------------------------------------------

Mike Donovan is the global leader of technology, media, and business team with Beazley, the leading specialist insurer that is pioneering data breach response insurance through the Beazley Breach Response (BBR) product.

Treasury & Risk

Treasury & Risk is an online publication and robust website designed to meet the information needs of finance, treasury, and risk management professionals. Our editorial content, delivered through multiple interactive channels, mixes strategic insights from thought leaders with in-depth analysis of best practices, original research projects, and case studies with corporate innovators.